hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Motes <davidmo...@gmail.com>
Subject Re: Controlling HTTP Basic authentication
Date Wed, 07 Dec 2016 16:09:48 GMT
You need to fix your server.
HTTP is a stateless protocol, which is why cookies were invented in the
first place.
Once the client is notified by the server that authentication is required
by the 401 it has to send the auth info with every request.  There is no
inherent state in HTTP.
When the server gets a cookie it should do what ever is required to
validate it and not start a new session as the cookie is the correlation
for the session.

On Wed, Dec 7, 2016 at 9:54 AM, Gordon Ross <gr306@uis.cam.ac.uk> wrote:

> I’m using basic HTTP authentication in my application. I’ve configured it
> up, and watching the debug logs, I can see the initial HTTP request, a 401
> coming back and HTTP Client then supplying the Authorization header. The
> server then sends back a session cookie, and HTTP Client stores this away.
> So far, so good.
>
> My problem, is that for every subsequent HTTP request, HTTP Client is
> re-sending the Authorization header. The far end treats this as a fresh
> authentication request and issues a fresh session cookie. After a while,
> the far end starts to complain about too many sessions.
>
> Is there a way to tell HTTP Client to only sent the Authorization header
> in response to a 401 from the server, instead of with every request? Or do
> I have to manually add & remove the Authorization header myself?
>
> Thanks,
>
> GTG
> --
> Gordon Ross
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message